S. D.

KANENGONI

Network Security MSC INT’ COMPUTER

SCIENCE
Course Outline

Lesson 1. Cryptography recap

Lesson 2. Network security

Lesson 3. Network Security Protocols

Lesson 4. S.E.T

Lesson 5. E-Commerce Security

TEACH A COURSE 2
Cryptography
RECAP
We will cover these skills:
 Basic terminology
 Symmetric Encryption
 Asymmetric Encryption

TEACH A COURSE 3
 SOME BASIC
TERMINOLOGY

• plaintext - original message

• ciphertext - coded message
• cipher - algorithm for transforming plaintext to ciphertext
• key - info used in cipher known only to sender/receiver
• encipher (encrypt) - converting plaintext to ciphertext
• decipher (decrypt) - recovering ciphertext from plaintext
• cryptography - study of encryption principles/methods
• cryptanalysis (codebreaking) - study of principles/ methods of deciphering ciphertext
without knowing key
• cryptology - field of both cryptography and cryptanalysis
CLASSICAL
SUBSTITUTION
CIPHERS

• where letters of plaintext are replaced by other letters or by

numbers or symbols

• or if plaintext is viewed as a sequence of bits, then substitution

involves replacing plaintext bit patterns with ciphertext bit
patterns
TRANSPOSITION
CIPHERS

• now consider classical transposition or permutation

ciphers

• these hide the message by rearranging the letter order

• without altering the actual letters used

• can recognise these since have the same frequency distribution as the original
text
 SYMMETRIC
ENCRYPTION

• or conventional / private-key / single-key

• sender and recipient share a common key

• all classical encryption algorithms are private-key

• was only type prior to invention of public-key in 1970’s

• and by far most widely used

SYMMETRIC CIPHER
MODEL
REQUIREMENT
S

• two requirements for secure use of symmetric

encryption:
• a strong encryption algorithm
• a secret key known only to sender / receiver
• mathematically have:
Y = EK(X)

X = DK(Y)
• assume encryption algorithm is known
• implies a secure channel to distribute key

• Examples: 3DES, AES, DES and RC4

 ASYMMETRIC
ENCRYPTION

• Asymmetric Key Encryption is based on public and private key

encryption technique.

• It uses two different key to encrypt and decrypt the message.

• It is more secure than symmetric key encryption technique but is much

slower.
ASYMMETRIC
ENCRYPTION
Network
Security
We will cover these skills:
 Network Security Principles
 Network Security Protocols
 Network Security Model

TEACH A COURSE 12
 Network Security

• Network Security refers to the measures taken by any enterprise or organisation

to secure its computer network and data using both hardware and software
systems.

• This aims at securing the confidentiality and accessibility of the data and
network.

• Every company or organisation that handles large amount of data, has a degree
of solutions against many cyber threats.
 Network Security

• The network security solutions protect various vulnerabilities of the computer

systems such as:

1. Users
2. Locations
3. Data
4. Devices
5. Applications
 Network Security Levels

Physical Network Security: This is the most basic level that includes protecting
the data and network though unauthorized personnel from acquiring the control
over the confidentiality of the network.

Technical Network Security: It primarily focusses on protecting the data stored in

the network or data involved in transitions through the network.

Administrative Network Security: This level of network security protects user

behavior like how the permission has been granted and how the authorization
process takes place.
 Network Security Principles

• In present day scenario security of the system is the sole priority of any
organisation.

• The main aim of any organisation is to protect their data from attackers.

• In cryptography, attacks are of two types such as Passive attacks and Active
attacks.
 Network Security Principles

The Principles of Security can be classified as follows:

Confidentiality: The degree of confidentiality determines the secrecy of the
information.
Authentication: The mechanism to identify the user or system or the entity.

Integrity: Gives the assurance that the information received is exact and accurate.
Non-Repudiation: A mechanism that prevents the denial of the message content sent
through a network.
 Network Security Principles

Access control: The principle of access control is determined by role management

and rule management. Role management determines who should access the data
while rule management determines up to what extent one can access the data. The
information displayed is dependent on the person who is accessing it.

Availability: The resources will be available to authorize party at all times.

Information will not be useful if it is not available to be accessed. Systems should
have sufficient availability of information to satisfy the user request.
 Types of Network Security

1) Access control: Not every person should have complete allowance to the
accessibility to the network or its data. The one way to examine this is by going
through each personnel’s details. This is done through Network Access Control
which ensures that only a handful of authorized personnel must be able to work
with allowed amount of resources.

2) Antivirus & Anti-malware Software: This type of network security ensures

that any malicious software does not enter the network and jeopardize the
security of the data.
 Types of Network Security

3) Cloud Security: Now a day, a lot many organisations are joining hands with the
cloud technology where a large amount of important data is stored over the internet.

Many businesses embrace SaaS applications for providing some of its employees
the allowance of accessing the data stored over the cloud.
 Network Security Model

A Network Security Model exhibits how the security service has been
designed over the network to prevent the opponent from causing a threat
to the confidentiality or authenticity of the information that is being
transmitted through the network.
Network Security Model
 Network Security Model

This model shows that there are four basic tasks in designing a particular security
service:

1. Design an algorithm for performing the security-related transformation.

2. Generate the secret information to be used with the algorithm.
3. Develop methods for the distribution and sharing of secret information.
4. Specify a protocol to be used by the two principles that make use of the security
algorithm and the secret information to achieve a particular security service.
Network
Security
Protocols
We will cover these skills:
 Ipsec
 SSL
 TLS
 SET

TEACH A COURSE 24
 Network Security Protocols

Network Security Protocols provides secure connection between two points that is
the client and the server over a network or internet.

Below are some of the common protocols:

• IP security - IPSec

• SECURE SOCKET LAYER - SSL

• TRANSPORT LAYER SECURITY- TLS

 IP security (IPSec)

• The IP security (IPSec) is an Internet Engineering Task Force (IETF) standard

suite of protocols between 2 communication points across the IP network that
provide data authentication, integrity, and confidentiality.

• It also defines the encrypted, decrypted and authenticated packets.

• The protocols needed for secure key exchange and key management are defined
in it.
 Uses of (IPSec)

• To encrypt application layer data.

• To provide security for routers sending routing data across the public internet.
• To provide authentication without encryption, like to authenticate that the data
originates from a known sender.

• To protect network data by setting up circuits using IPsec tunneling in which all
data is being sent between the two endpoints is encrypted, as with a Virtual
Private Network(VPN) connection.
 IPSec Architecture

• IPSec (IP Security) architecture uses two protocols to secure the traffic or data
flow.

• These protocols are ESP (Encapsulation Security Payload) and AH

(Authentication Header).

• IPSec Architecture include protocols, algorithms, DOI, and Key Management.

IPSec Architecture
 Secure Socket Layer (SSL)

• Secure Socket Layer (SSL) provides security to the data that is transferred
between web browser and server.

• SSL encrypts the link between a web server and a browser which ensures that all
data passed between them remain private and free from attack.
 Transport Layer Security (TLS)

• Transport Layer Securities (TLS) are designed to provide security at the

transport layer.

• TLS was derived from a security protocol called Secure Service Layer (SSL).

• TLS ensures that no third party may eavesdrops or tampers with any message.
 Benefits of TLS/SSL

• Encryption: TLS/SSL can help to secure transmitted data using encryption.

• Interoperability: TLS/SSL works with most web browsers, including Microsoft

Internet Explorer and on most operating systems and web servers.

• Algorithm flexibility: TLS/SSL provides operations for authentication

mechanism, encryption algorithms and hashing algorithm that are used during
the secure session.
 Benefits of TLS/SSL

• Ease of Deployment: Many applications TLS/SSL temporarily on a windows

server 2003 operating systems.

• Ease of Use: Because we implement TLS/SSL beneath the application layer,

most of its operations are completely invisible to client. and hashing algorithm
that are used during the secure session.
Secure Electronic
Transaction (SET)

We will cover these skills:

 SET Protocol Scenario
 Requirements in SET
 SET Functionalities

TEACH A COURSE 34
 Secure Electronic Transaction
(SET) Protocol

• Secure Electronic Transaction or SET is a system that ensures the security and
integrity of electronic transactions done using credit cards in a scenario.

• SET is not some system that enables payment but it is a security protocol applied
to those payments.

• It uses different encryption and hashing techniques to secure payments over the
internet done through credit cards.
 SET Protocol Scenario

• SET protocol restricts the revealing of credit card details to merchants thus keeping hackers
and thieves at bay. The SET protocol includes Certification Authorities for making use of
standard Digital Certificates like X.509 Certificate.
 REQUIREMENTS in SET

• It has to provide mutual authentication i.e., customer (or cardholder) authentication by

confirming if the customer is an intended user or not, and merchant authentication.

• It has to keep the PI (Payment Information) and OI (Order Information) confidential by

appropriate encryptions.

• It has to be resistive against message modifications i.e., no changes should be allowed in the
content being transmitted.

• SET also needs to provide interoperability and make use of the best security mechanisms
 SET Functionalities

1. Provide Authentication

• Merchant Authentication – To prevent theft, SET allows customers to check

previous relationships between merchants and financial institutions. Standard
X.509V3 certificates are used for this verification.
• Customer / Cardholder Authentication – SET checks if the use of a credit
card is done by an authorized user or not using X.509V3 certificates.
 SET Functionalities

2. Provide Message Confidentiality: Confidentiality refers to preventing unintended people from

reading the message being transferred. SET implements confidentiality by using encryption
techniques. Traditionally DES is used for encryption purposes.

3. Provide Message Integrity: SET doesn’t allow message modification with the help of
signatures. Messages are protected against unauthorized modification using RSA digital signatures
with SHA-1 and some using HMAC with SHA-1,
eCommerce
Security
We will cover these skills:
 What it is ECommerce
 Security issues with
Ecommerce
 Protection against
ecommerce threats

TEACH A COURSE 40
 What is E-Commerce?
 Refers to the exchange of goods and services over
the Internet
 Consumer transactions
 Business to business transactions
 Service industry transactions
 What is E-Commerce?
 Refers to the exchange of goods and services over
the Internet
 Consumer transactions
 Business to business transactions
 Service industry transactions
 What is the problem?
 Providing a secure and safe environment for
consumers to do business online
 No side effects
 Must provide:
• Authentication
• Authorization
• Encryption
• Auditing
 Why is this important to you?
 E-Commerce affects anyone who shops online
 Unsecure e-commerce can lead to identity theft,
credit card theft, vulnerable bank accounts, etc
 Companies that consumers are associated with
can be affected and therefore indirectly affect the
consumer
What is being done about e-commerce security
issues?
Build security into web applications in the design
state
• Detailed Risk assessment
• Key information
 Transaction details
 Analyze threats
 Countermeasures
 SSL – Secure Socket Layer
 Visa & Mastercard developed SET
What is being done about e-commerce security
issues? (cont.)
 Firewalls
 Many companies use the Kerberos protocol
 Microsoft, Verisign & Webmethods developed XML
(Extensible Markup Language) key management
specification (XKMS)
 Encryption of private information
 What can you do to protect yourself?
 Keep private data safe
 Install a firewall
 Use anti-virus software
 Be smart about the sites you visit
 What does the future hold for this issue?
 E-commerce is safer than ever
 It’s up to you
 It’s up to merchants
 US e-commerce sales will nearly double in the
next five years
 Wi-Fi Security